The days of smash-and-grab cyberattacks are over. Instead, headline-making hits on Acer, JBS Foods, and Colonial Pipeline make it clear: We’ve entered a new, more sophisticated modern era of ransomware tactics.
Ransomware gangs have expanded their playbooks to adopt advanced east-west maneuvering to amplify damage and halt business operations to improve their payment calculus. Today’s modern ransomware is exploiting IT infrastructures to move stealthily and persist for longer periods of time before springing its trap, putting security and IT teams at a disadvantage to prevent large-scale incidents.
Evolution of the Ransomware Three-Act Playbook
We like to think we already know how ransomware works—but ransomware crews have added a new act to their playbooks. They now expand their blast radius through the use of advanced land-and-pivot-style tactics to ensure a handsome payout from companies clamoring to regain operations without significant data leakage or reputational damage. Modern ransomware is carried out as a three-act playbook: initial access, midgame, and extortion. Each act has its unique specialization and tooling.
“The midgame is comprised of the stages of the kill chain where attackers pivot through your IT infrastructure, enumerate targets, escalate privileges, phone home, and compromise assets and network data stores to compel payment.”
Initial access is where they gain a foothold through a wide range of techniques proven effective over time, including phishing emails. The midgame is where the attacker pivots through your infrastructure, accumulating assets and compromising data before springing their extortion trap. The extortion cycle is when it’s too late and the damage is done.
Conventional wisdom says that access management and backup strategies are the remedies—but these haven’t slowed the ransomware-as-a-service (RaaS) industry. Unfortunately, initial access prevention relies on 100% efficacy, and because gangs are moving beyond mere encryption by exfiltrating and exploiting sensitive information, once backup comes into play, the damage is done regardless of how you handled the extortion demand. The crippling business damage is proportional to the ransomware campaign duration—specifically the midgame duration, as shown in the diagram. If you’re watching inside the network, the midgame is where you can stop intruders before they set their extortion trap.
Act 1: Initial Access – Foothold
Initial access is how the attacker breaks into the infrastructure––and they have countless ways to get in.
Conversations around ransomware defense tend to gravitate toward preventing initial access. While ransomware prevention is, on the surface, a logical strategy, when put to the test, motivated attackers have consistently proven that they can gain a foothold. Like any good pen tester, a persistent attacker will find a way into our porous hybrid perimeters. With today’s specialized RaaS ecosystem, even a lazy extortion-motivated attacker can buy a jumpstart foothold from initial access brokers.
If that isn’t alarming enough, phishing continues to be a favorite access technique for ransom-driven intruders. Troubling research from Knowbe4 points out that 4.7% of the 6.6M people participating in a years-long phishing training will still take the clickbait.
The battle for access prevention has proven to be, at best, a deterrent to script kiddies and other easily deterred attackers, making it more of a fence than a wall. Likewise, the perimeter seems to be better approached as the ground for skirmishing than as the point of eradication for intruders—contrary to how most organizations’ allocate their security spending.
Act 2: Midgame – Optimize Collection Calculus
The midgame is the stage of the kill chain where attackers pivot through your IT infrastructure, enumerate targets, escalate privileges, phone home, and compromise assets and network data stores to compel payment. This is where modern ransomware operators get to work on their tour-de-force pain maker, causing outsized damage, leveraging game theory to compel you to pay.
In addition to moving laterally through your infrastructure, ransomware crews share a common focus on exploiting Active Directory (AD). Targeting domain admin privileges like exploited AD allows attackers to speed up asset collection operations. Because of this, ransomware trends now include shockingly short average dwell times—just five days, according to Fireeye-Mandiant’s 2021 M-Trends report. Gaining domain admin privileges gives intruders keys to the kingdom, where they can automate malware distribution through Group Policy (GPO) or escalating privileges to own Exchange, databases, and filesystems service. Numerous post-mortem advisories on ransomware gangs such as REvil and BlackMatter (rebrand of Darkside) point to AD as the preferred fast path toward ransom collection.
Famously, Cisco Talos translated the Conti playbook which had been dumped by a disgruntled insider. The playbook notably instructed Conti RaaS platform affiliates to use AD exploit tools like Cobalt Strike, ADFind, and Kerberoasting.
The midgame concept isn’t new: It’s represented as a subset of techniques in the last 11 tactics of the MITRE Framework. We refer to the modern ransomware playbook as three parts because a different set of attacker specialization is applied at each phase, and an appropriate response is required from the defending team.
Act 3: Extortion Cycle – Houston, We Have a Problem
The last item on the playbook is the extortion cycle. With the global cost of ransomware reaching $20B in 2021, it’s fair to say that, at this stage, it’s too late for you to do much of anything. At this stage, the enterprise is in recovery mode, not security mode.
Availability of backups is a critical part of the payment calculus. Unfortunately, the ransom payment has little bearing on the total financial damage that the attack will inevitably cause. Research suggests that ransom payments account for 10% of the actual damage to victims. The other 90% is a byproduct for the victim, regardless of how profitable the exchange was for the attacker.
Modern Ransomware Kill Chain in the Midgame
Your best chance to protect your customers and organization, avoid paying the ransom, and maintain your reputation is to build defenses that interrupt attackers in the midgame.
The number one resource that advanced attackers have on their side is the ability to slink around your environment, just out of sight. Therefore, a defensive strategy in the midgame must include the ability to shine a light on the dark corners where they’re hiding and living off of the land.
The good news is, attackers are not the type to stay in place. Their shameless drive for profit means that they’re regularly moving around, looking for meaty data to steal and dangle over you. Hidden in their greed is your opportunity. They’re walking around your network. You have ownership and visibility over your environment, and if you’re watching for the midgame tactics, you’ll find your guy.
Detection and Response Options
Stopping intruders is the function of detection and response, which is why Gartner calls for the use of endpoint data, logs, and the network the SOC Visibility Triad.
Traditionally, security operations centers (SOCs) have relied heavily on endpoint detection and response (EDR) and security information and event management (SIEM) tools for incident management and response. But those tools don’t provide the real-time visibility into east-west traffic that is essential for spotting ransomware midgame.
EDR has come a long way from an easily evaded anti-virus tool and plays an important part in preventing initial access. But as the leaked Conti playbook reminds us, attackers evade EDR or avoid managed endpoints altogether. The exclusive dependence on EDR leads to extensive coverage gaps across servers, IoT, 3rd-parties, and other unmanaged endpoints. Equally, SIEM technology offers essential security controls, including alerting, compliance, and dashboarding, but the fuzzy view from logs present limited actionable insight to respond to laterally moving intruders.
The network, specifically network detection and response (NDR) solutions, is the missing piece of the triad, with the data available to stop a ransomware attack in the midgame before they spring their trap.
Extrahop Reveal(x) 360 NDR
Preventing initial moves by ransomware actors may not be possible, but with Reveal(x) 360, defenders can stop intruders in their midgame before they can do real damage. Reveal(x) 360 detects ransom-driven intruders as they pivot through the victim’s IT infrastructure, enumerating targets, escalating domain privileges and phoning home—before they compromise network data stores to demand ransom.
With Reveal(x) 360 integrated forensics workflow—built on 90 days of continuous traffic record lookback and a modularly scalable PCAP repository—defenders can quickly pinpoint the root cause and scope all exploited assets and compromised data. With these ground-truth packet insights, defenders can eradicate intruder residue, close security gaps to prevent ransomware recurrence, and move on to recovery confidently.
This post is also available in: English